Your message dated Tue, 26 May 2026 22:50:17 +0000
with message-id <[email protected]>
and subject line Bug#1137429: fixed in systemd 261~rc2-1
has caused the Debian Bug report #1137429,
regarding systemd: Changes permissions of root directory from 0755 to 0555
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137429
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: systemd
Version: 261~rc1-1
Severity: normal
X-Debbugs-Cc: [email protected], [email protected]
Tags: upstream
Control: affects -1 + piuparts base-files
Since 261~rc1, the systemd package contains a tmpfiles.d(5) snippet
/usr/lib/tmpfiles.d/root.conf which sets the permissions of the root
directory to 0555. This appears to have been added in
https://github.com/systemd/systemd/pull/41431 upstream, originally as a
way to make the system bootable if the root filesystem was mistakenly
bootstrapped, untarred etc. onto an existing filesystem that was created
with overly-restrictive permissions like 0700. (Conversely, it would
also be helpful if the filesystem had started with overly-broad
permissions like 02775, which should be tightened.)
According to comments on the PR, upstream intentionally chose to use
0555 rather than 0755, as a preemptive hardening mechanism so that if
code is running as uid 0 with no CAP_DAC_OVERRIDE, it can't write the
root directory (although this likely only provides any hardening in
practice if all root-owned files are on read-only filesystem mounts,
otherwise root-without-caps can just elevate privileges to
root-with-caps by overwriting an executable that root-with-caps will
run, such as systemd itself).
This all seems like entirely reasonable reasoning, but it has the effect
of changing the permissions of the root directory of existing Debian
installations, typically from 0755 to 0555, which is not necessarily
expected. It also leads to piuparts complaining about / having changed
whenever the systemd package is installed and subsequently purged, for
example while testing dbus-system-bus-common, which is how I found this.
If we want the root filesystem of Debian systems to be canonically 0555
rather than 0755, that seems like something that should be coordinated
with base-files and maybe debootstrap/mmdebstrap/cdebootstrap, so that
it will be true for all machines/containers/chroots and not just those
that have the systemd package? (I'm not sure which component actually
chooses the permissions of the root filesystem during bootstrapping -
base-files, or the specific bootstrapper implementation that was used.)
Or if this change wasn't intended or isn't desired, the systemd package
could either not install root.conf, or mask it with an empty
/etc/tmpfiles.d/root.conf.
smcv
--- End Message ---
--- Begin Message ---
Source: systemd
Source-Version: 261~rc2-1
Done: Luca Boccassi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luca Boccassi <[email protected]> (supplier of updated systemd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 26 May 2026 22:10:39 +0100
Source: systemd
Architecture: source
Version: 261~rc2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers
<[email protected]>
Changed-By: Luca Boccassi <[email protected]>
Closes: 1137429 1137522
Changes:
systemd (261~rc2-1) unstable; urgency=medium
.
* Clean up autovt@ alias on purge. (Closes: #1137522)
* Workaround piuparts issue with / permissions. (Closes: #1137429)
* Update upstream source from tag 'upstream/261_rc2' Update to upstream
version '261~rc2' with Debian dir
5514a46d042723c403871455547bb889f465f396
* Drop patches, all merged upstream
Checksums-Sha1:
c13243971a5d4fb990f771f53825084f5f5eff3c 8681 systemd_261~rc2-1.dsc
bb99239378d38c498ab00aaba46ca65727766d68 18301808 systemd_261~rc2.orig.tar.gz
52fe82a6ea212382eb04849bb9608419156c96a4 186360 systemd_261~rc2-1.debian.tar.xz
cfa91144e7423ccd0856d8b44031905609ef856d 14691
systemd_261~rc2-1_source.buildinfo
Checksums-Sha256:
c0976a2f31bffabbf81a9f206cb923d0ba2faf0fdcd2afd6685b1cc7d133294d 8681
systemd_261~rc2-1.dsc
94cf3938b2a8a916e537de02eeb24bc49621e6d9ee6ea4337567b8060f5821ed 18301808
systemd_261~rc2.orig.tar.gz
c0fd9c27174d43477e5166d8d8c21ef40e1766ccbc459abb41afb3758f026988 186360
systemd_261~rc2-1.debian.tar.xz
43db3137a06f378629106a62b3ebac5780cc400818836c0f3969f337e5303a96 14691
systemd_261~rc2-1_source.buildinfo
Files:
196cbd8d27d101bcf8ea36c52cd6b9b5 8681 admin optional systemd_261~rc2-1.dsc
76f2068e7c896e593081df51fa19ad53 18301808 admin optional
systemd_261~rc2.orig.tar.gz
4394123397621f0293786803ad5baa6f 186360 admin optional
systemd_261~rc2-1.debian.tar.xz
9238037435c44b7e8eed8a402b946431 14691 admin optional
systemd_261~rc2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEErCSqx93EIPGOymuRKGv37813JB4FAmoWHM8RHGJsdWNhQGRl
Ymlhbi5vcmcACgkQKGv37813JB6f+Q//bKVx9YwKgrf0xYERm80G8Fyz12gJ3b7Q
h1Nnm/+fDxkhRFDfZPnSoHE6ZJ4fiCYABdgL95uchR2IDvYNAacRU5+uErH+BkkB
D58z/GmT0E56Cm2lJqHyMZzar/zMQ1Fa97n26UjvYW+w5IdhsLV5G/ZEHS4JevY9
35d3LXHROnWomccYWiU4j0lHrJQ668cJcYy4QFq2uTcQ/gYZcLDW/b6IuON0OHfS
DKL+simgMSmPFjpdplB/L4OSNu/82jh6hUf2JwInJqnZAIXlZcLDcrHoKzb/XLdw
G75OAfbmxXpe2kfuAQM0WMoDi3Qy2pxmm5xWjv/81vdZFBmspmr93SfpjyHpiQQX
PNEBFGX58urzJeJp6EdOq25k6IKLIftb8ytK7xi+tb2Da+4r7Y0B7n+jQym3e+ws
mmSqi1mxlyiL+/6siJW19VB+Vnt2nFwdHOKBeJ25WtfbikTA3HO4cHMrN2AzzRbz
pLm8vGvUCbhBdIv+QcpIVyfI05/WIiasylV/yJuiztlSgIT6leqSSGuqzS0voEQD
gnsXaGW3/fyCRJw1wKzhZ0dp7A4BbwtpIcc3K+El9+BQN3287FCz4Yv42J+1rqYV
foTq7WfWxTaQU7/DxR+E9gtPASxY7U+Zdgf7ZEH5hOXnhyEC5e7BMxVAcZDrbZjb
dgqo+CBl0f8=
=+mVg
-----END PGP SIGNATURE-----
pgpYZUT05JLuP.pgp
Description: PGP signature
--- End Message ---
